CompTIA Security+ Training Kit: Vulnerability Assessment and Management

  • 9/15/2013
Contents

Vulnerability scanning

Vulnerability scans serve several purposes for organizations. Not only do they help organizations identify vulnerabilities, they also help point out when security controls have not been properly put in place, or when an attacker or misconfiguration has disabled them. They also help organizations find common misconfigurations such as default usernames and passwords, default directories and scripts that can be dangerous, and a host of other, similar issues.

Organizations typically conduct vulnerability scanning one of two ways: by using internal tools to passively scan for vulnerabilities by checking version numbers and configurations, and by active scanning using a vulnerability scanning tool. We’ve already discussed security baselines, which can provide passive identification, , so this chapter takes a look at active vulnerability scanning tools.

Vulnerability scanning tools

A key part of assessing vulnerabilities is scanning for them. This is done by using a variety of tools, including packet sniffers, port scanners, vulnerability scanners, and specialized tools such as web application vulnerability scanners. Each of these tools has a role to play in a vulnerability assessment, and they are often used together or in sequence to help provide a faster, more accurate result.

We will examine each of these tools in the order in which they are frequently used to scan systems and networks. The process typically starts with a sniffer and a port scanner, which are used to look for hosts that provide services on the network. From there, vulnerability scanners are used to find vulnerable services and systems. Finally, if you discover web applications, you might want to use a web application vulnerability scanner’s specialized abilities to test it.

Protocol analyzers and sniffers

In Chapter 2, “Network security technologies,” we looked at protocol analyzers and sniffers, tools that allow you to view and analyze network traffic on the wire. The capabilities that make these tools useful for detecting attacks and analyzing attack traffic also make them a useful part of vulnerability assessment.

NOTE: A Sniffer By Another Name

Remember that protocol analyzers, packet analyzers, packet sniffers, and sniffers are all names for the same tools used to read network traffic and display it.

There are a few ways in which sniffers are frequently used during vulnerability analyses and during penetration tests, which include:

  • Capturing data during port scans and vulnerability scans to provide additional information about what data is being sent and received. This provides a log that penetration testers find useful to demonstrate what occurred and when. Capturing network activity can also provide more information about specific responses, allowing manual analysis if needed.

  • Providing insight into the actual content of traffic sent by an attacker or attack tool, thus allowing security professionals to assess the significance of a threat. If the payload of the packets is an attack that your organization is vulnerable to, it is far more of a threat than a random attack that uses a tool you’re not susceptible to.

  • Analyzing the results of your own attack traffic when testing a system. This uses the same concepts as watching a third-party attack traffic but can be used inside of a network to monitor your own testing.

  • Capturing traffic to determine whether network controls such as an IPS, firewall, or proxy work. A sniffer deployed at each point along the path between the sender and receiver can provide in-depth information about what traffic is permitted, and whether the network security devices are making changes to the traffic. This process is very similar to the process that many network and security professionals use when diagnosing network connectivity issues, but it changes the focus from making traffic flow to ensuring that controls work.

As you can see, sniffers are a critical part of your arsenal of tools when you are conducting vulnerability scans and penetration tests. The process for penetration testing, including the selection of tools from those discussed here, is covered in the “Penetration testing” section later in this chapter.

Important: The Importance of Logging

Logging your scans by using a sniffer can be incredibly useful when your scanner is accused of causing problems such as a system crash or outage. Complete logs will allow you to provide details about which systems you were scanning at any given time and how they responded. Although it’s rare, it is possible that your scan could take a system or network down!

Port scanners

key.jpg

One of the first tools that a security professional uses from his toolbox when starting to assess a network is a port scanner. Port scanners provide a quick and easy way to assess the services that are exposed on a network and can help analysts quickly get an idea of whether an organization’s systems are well maintained and secured or if there are problems throughout the network.

Port scanners attempt to connect to services hosted on systems and devices on a network, and then they monitor responses. In their simplest form, they check to see which ports respond, but they can provide a variety of capabilities beyond that if they analyze the responses from the systems they receive data from.

More Info: NMAP Scanning

Over the years, port scanners have added a range of capabilities intended to allow them to be more effective. A quick read through the Nmap guide to port scanning techniques can help you explore how many ways there are to scan a network. You can find the full list of techniques at http://nmap.org/book/man-port-scanning-techniques.html.

One of the major advantages of port scanners is that they can be quite fast. Unlike the vulnerability scanners we will discuss next, a port scanner is focused on a very limited set of information about systems, which helps it provide a quick list of ports and services, often with basic operating system identification thrown in. Most vulnerability scanners also limit themselves to a set of default ports, rather than scanning the full set of 65,535 ports that could be exposed to the world. Of course, scanning only part of the range of ports means that services that run on different ports might be missed!

Real world

Nmap

The network mapper Nmap is an open-source security scanner that is one of the most popular port scanners in the world. Nmap provides the ability to discover hosts, identify which ports are accessible and what state they are in, perform service identification for the services running on those ports, and determine the likely operating system of the host (see Figure 7-3). Versions of Nmap have been created for most major operating systems, making it a common choice for most security professionals who need to conduct a port scan.

Figure 7-3

Figure 7-3 In this Nmap scan, a vulnerable Linux system provides a huge number of services, including FTP, SSH for remote access, SMTP email, DNS, a web server, and many other ports.

In the scan shown in Figure 7-3, Nmap also identified that the scan was run against a Linux system that appeared to be running a 2.6.x branch of Linux, and that the host itself appears to be a VMWare virtual machine. You now know much more about the system, but you don’t know if these services are vulnerable.

Of course, port scanning alone cannot provide a full understanding of the vulnerabilities that a system might have. When your scan completes, you will probably have useful information about potential targets, and you might even have some ideas about which systems might be vulnerable. With that data in hand, the next step for most security professionals is to scan the systems identified by a port scan with a vulnerability scanner.

Vulnerability scanners

key.jpg

Vulnerability scanners are the next step up in the scanning process. There are two common types of vulnerability scanners: network vulnerability scanners and web application vulnerability scanners. We’ll explore each in turn.

Network vulnerability scanners

Network vulnerability scanners are designed to scan for vulnerable systems through a network. After they are provided with a target, which can be a single system, a network, or a whole range of addresses, they scan for and connect to services. This allows them to gather information about the version of the application or service running and to check it against a database of known vulnerable versions. More advanced vulnerability scanners also conduct tests to determine if specific vulnerabilities exist, either by testing for specific signs, or querying information on the system for details of what is installed. Some vulnerability scanning tools even allow you to embed administrative credentials that allow the scanner to log into systems they’re scanning to verify software versions and other system settings directly.

In Figure 7-4, a scan was conducted against a sample vulnerable system by using Nessus, apopular vulnerability scanning package, resulting in a list of vulnerabilities. As you can see, the sample vulnerability selected from the scan is classified by its risk level based on the significance of the issue that would be created by exploitation of the vulnerability.

Figure 7-4

Figure 7-4 Nessus provides detailed vulnerability information for each vulnerability it discovers.

In this example, Nessus found 156 results, and the figure shows a high-security issue from that list that involves the SUDO command in Ubuntu Linux. Note that Nessus provides a description, a solution suggestion, links to details on the vulnerability itself, and information about when the vulnerability was discovered.

Web application vulnerability scanners

key.jpg

Web applications are the face of most organizations, and those applications can have a wide range of vulnerabilities, such as to the cross-site scripting, SQL injection, and faulty logic issues we discussed in Chapter 5, “Threats and attacks.” Each application can respond differently to its users, and the way applications display data, accept input, and interact with back-end database servers can vary greatly. This means that web application assessment is a relatively specialized discipline. Until recently, most network vulnerability scanners did not have strong web application vulnerability assessment capabilities, leaving a niche for a variety of specialized web application vulnerability scanners (sometimes called web application security scanners). This is slowly changing, and major products are starting to add increasingly useful web application scanning tools to their existing vulnerability scanning products.

Web application vulnerability scanners act like an attacker might, and feed web applications bad input, change what forms send back to the application, and attempt to inject SQL statements, along with other specialized techniques. They also check for common misconfigurations, sample files and scripts, and vulnerable versions of the underlying software for websites such as their scripting engines and web servers.

Exam Tip

The CompTIA Security+ exam expects you to know the difference between vulnerability scanning and web application vulnerability scanning. Remember that web application vulnerability scanning focuses on application and logic vulnerabilities, and vulnerability scanners look at vulnerable versions and configurations of services.

In Figure 7-5, you can see a simple open-source web application and server vulnerability scanner called Nikto. Nikto’s primary focus is on web servers and common vulnerabilities in known web applications, which means it is a useful tool to check for known vulnerabilities. Unlike more complex scanners, Nikto doesn’t provide an in-depth scanning tool for custom applications.

Figure 7-5

Figure 7-5 This Nikto scan identified the system as an Ubuntu Linux server running Apache 2.2.28 with PHP 5.2.4, which is outdated. In addition, Nikto identified multiple vulnerabilities listed in the Open Source Vulnerability Database (OSVDB) that could be issues or misconfigurations.

More complex scanners include internal logic that can analyze custom web applications and can identify vulnerabilities in how they handle input and user interaction. In Figure 7-6, the open-source Web Application Attack and Audit Framework (w3af) scanner has been run against a vulnerable application. Unlike Nikto, it explored the full application and attempted to feed it a variety of input.

Figure 7-6

Figure 7-6 w3af provides far more information about vulnerabilities in the application than Nikto does.

In the example scan shown in the figure, you can see a list of issues with descriptions. Theselected vulnerability that is marked by red text provides more information, including the user name and password for a vulnerable phpMyAdmin installation on the target system.

NOTE: When Automated Tools Aren’t Enough

Automated tools provide many features and don’t get bored while scanning, but in many cases it takes a human to fully understand the internal logic of a web application. Thus, although web application scanning tools are a useful part of a vulnerability management program, you may still want to engage a talented web application assessment tester if it is absolutely critical that your web applications are secure.

No matter what type of vulnerability scanner you use, you should bear in mind that scanners are rarely 100 percent accurate. Vulnerability scanning is a useful tool as part of a strong vulnerability management program, and is a key part of a defense in depth strategy, but it isn’t enough protection on its own.

More Info: Comparing Web Vulnerability Scanners

Shay Chen’s 2012 Web Application Vulnerability Scanner comparison tested a variety of the most popular vulnerability scanning tools available today and found that none of them identified all of the vulnerabilities he was testing for. You can find his full report at http://sectooladdict.blogspot.com/2012/07/2012-web-application-scanner-benchmark.html.

tick.jpg Quick check

  1. What type of tool would you use to monitor the traffic sent by a vulnerability scanner?

  2. How do web application vulnerability scanners differ from network vulnerability scanners?

    Quick check answers

  1. A sniffer or packet analyzer is typically used to monitor the packets sent by a vulnerability scanner or port scanner. This allows you to see what is sent and received by the scanning system, providing useful information about what systems were scanned and how they responded.

  2. Web application vulnerability scanners focus on internal logic, vulnerabilities in how applications handle user input that allow attacks such as cross-site scripting, SQL injection, and similar problems. Vulnerability scanners typically look for vulnerable services and configuration issues and typically don’t understand how the applications themselves work or handle user input.

Honeypots and honeynets

key.jpg

The CompTIA Security+ exam looks at two types of systems designed to lure attackers into targeting them: honeypots and honeynets. Honeypots are specially designed systems and applications that expose tempting interfaces and vulnerabilities to potential attackers. Often they will provide a complete copy of a legitimate vulnerable system, but will be designed in a way that prevents attackers from gathering actual data or performing further attacks. Instead, they gather information about what the attackers do and how they do it. Most honeypots log every action taken on the system, and many also keep copies of files and tools that attackers bring with them.

Honeypots are often classified into one of two types:

  • Low-interaction honeypots, which provide a few commonly targeted services and are focused on studying the most heavily attacked applications and systems
  • High-interaction honeypots, which emulate an entire operating system or application, allowing attackers to perform the actions they normally would on a compromised system

Honeynets work much like honeypots do, but on a much broader scale: they are entire networks of systems designed to lure attackers in. This means that some honeynets can detect attacks in a variety of locations or attacks aimed at a variety of systems on a network.

Network honeypots are often called sinkholes. Much like honeypots, sinkholes are designed to absorb attacks safely while providing researchers and security professionals with a chance to study malicious traffic.

More Info: The Honeynet Project

Information security researchers around the world contribute to the Honeynet Project, a collaborative network of honeypots run through a nonprofit coordinating body. More information about the Honeynet Project can be found at www.honeynet.org.

Organizations might deploy honeypots or honeynets for research, allowing them to understand new threats, or for production use, to help detect attacks and new threats on their own internal networks. In addition to the honeynets and honeypots the CompTIA Security+ exam focuses on, two other common security tools exist, with related uses: darknets and tarpits.

Darknets

Darknets are segments of unused network space that host no servers and provide no services. Thus, no traffic should be sent to them, because they don’t advertise anything that should result in connections. This means that any network traffic sent to the darknet IP addresses is suspect and is likely to be of interest to security professionals.

Darknets typically host one or more systems that collect all network traffic sent to the network. When the traffic is captured, it can be analyzed to detect port scans such as those discussed earlier in this chapter. Darknets have been used to detect worm outbreaks, misconfigured systems, and a host of other abnormal network traffic.

More Info: Real-World Darknets

Team Cymru, a nonprofit security research organization, runs an extensive darknet to capture probes, malware, and other attacks that randomly attack IP addresses on the Internet. More details on the Darknet project can be found at www.team-cymru.org/Services/darknets.html, where you can access full instructions on how to set up your own darknet server.

Tarpits

In addition to detecting scans, some organizations prefer to slow down scanners. Tarpits are the answer. A tarpit is a system specifically configured to delay network connections such as those made by a worm that is scanning for new systems to compromise, or a network vulnerability or port scanner that is searching for services.

Tarpit implementations can be as simple as an increased delay for connections to an email server, and as complex as a dedicated server that responds to every connection to a subnet with a variety of connection messages, resulting in scanners taking hours to scan, only to return a list of fake services and systems.

Important: Why Tarpits and Darknets?

Though the CompTIA Security+ exam doesn’t cover darknets, tarpits, or sinkholes, the concepts behind them are useful for security professionals to keep in mind when learning about how attackers can be monitored, stopped, and studied.

Exam Tip

The CompTIA Security+ exam covers honeypots and honeynets. Simply remember that ahoneypot is a single system, and that a honeynet is more than one system, typically deployed in various network locations.

tick.jpg Quick check

  1. What type of network security tool is designed to allow attackers to break in and interact with the operating system so that security professionals can learn about their behavior?

  2. Why might you deploy a honeynet?

    Quick check answers

  1. A high-interaction honeypot is designed to provide a simulated, safe target for attackers that reacts like a real system would.

  2. Honeynets are useful for detecting attacks that are distributed across a network or that occur in more than one location. Honeynets can help security professionals determine the scope and size of a scan or attack by capturing traffic in a variety of locations.

Save to your account

This chapter is from the book

Related resources

There are currently no related titles.